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IN THE CLAIMS: 

1 . (Original) A method in a data processing system for reporting security situations, 
comprising the steps of: 

logging events by storing event attributes as an event set, wherein each event set 
includes a source attribute, a target attribute and an event category attribute; 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value; and 

calculating severity levels for the groups; 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value. 

2. (Original) The method of claim 1, wherein the severity levels are calculated 
based on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets 
within each of the groups, and the event category attribute of the event sets within each 
of the groups. 

3. (Original) The method of claim 1 , wherein the events include at least one of a 
web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a 
network event, an authentication failure, and an access violation. 

4. (Original) The m ethod of claim 1 , further comprising: 

calculating the threshold value based on at least one of the source attribute of the 
event sets within the group, the target attribute of the event sets within the group, the 
event category attribute in each event set of the group, and the number of attributes in 
each event set of the group that are held constant across all of the event sets in the group. 

5. (Original) The method of claim I, wherein the target attribute represents one of a 
computer and a collection of computers. 

Page 2 of 12 
Black et al.- 09/931.301 

PAGE 4/14 *RCVD AT 2/7/2005 2:13:02 PM [Eastern Standard Time] * SVR:USPT0-EFXRF-1/6 * DNIS:8729306 * CSID:9723857766 * DURATION (mm-ss):04-34 



02/87/2005 13:10 9723857766 



YEE & ASSOCIATES 



PAGE 



6. (Original) The method of claim 1 , wherein the source attribute represents one of 
a computer and a collection of computers. 

7. (Original) The method of claim 1, further comprising: 
aggregating a subset of the groups into a combined group. 

8. (Original) A computer program product in a computer readable medium for 
reporting security events, comprising instructions for: 

logging events by storing event attributes as an event set, wherein each event set 
includes a source attribute, a target attribute and an event category attribute; 
classifying events as groups by aggregating events with, at least one attribute within the 
event set as an identical value; and 

calculating severity levels for the groups; 

reportin g a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value. 

9* (Original) The computer program product of claim 8, wherein the severity levels 
are calculated based on at least one of the number of event sets within each of the groups, 
the source attribute of the event sets within each of the groups, the target attribute of the 
even t sets within each of the groups, and the event category attribute of the event sets 
wi thin each of the groups. 

10. (Original) The computer program, product of claim 8, wherein the events include 
at least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation. 

1 1. (Original) The computer program product of claim 8, comprising additional 
instructions for: 

calculating the threshold value based on at least one of the source attribute of the 
event sets within the group, the target attribute of the event sets within the group, the 
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event category attribute in each event set of the group, and the number of attributes in 
each event set of the group that are held constant across all of the event sets in the group. 

12. (Original) The computer program product of claim 8, wherein the target attribute 
represents one of a computer and a collection of computers. 

13. (Original) The computer program product of claim 8, wherein the source attribute 
represents one of a computer and a collection of computers. 

14. (Original) The computer program product of claim 8, comprising additional 
instructions for 

aggregating a subset of the groups into a combined group. 

15. (Original) A data processing system for reporting security events, comprising: 
a bus system; 

a memory; 

a processing unit, wherein the processing unit includes at least one processor; and 
a set of instructions within the memory, 

wherein the processing unit executes the set of instructions to perform the acts of: 

logging events by storing event attributes as an event set, wherein each event set 
includes a source attribute, a target attribute and an event category attribute; 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value; and 

calculating severity levels for the groups; 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value. 
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16. (Original) The data processing system of claim 15, wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, the 
source attribute of the event sets within each of the groups, the target attribute of the 
event sets within each of the groups, and the event category attribute of the event sets 
within each of the groups. 

17. (Original) The data processing system of claim 15, wherein the events include at 
least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation. 

1 8. (Original) The data processing system of claim 1 5, wherein the processing unit 
executes the set of instructions to perform the act of: 

calculating the threshold value based on at least one of the source attribute of the 
event sets within the group, the target attribute of the event sets within the group, the 
event category attribute in each event set of the group, and the number of attributes in 
each event set of the group that are held constant across all of the event sets in the group, 

1 9. (Original) The data processing system of claim 1 5, wherein the target attribute 
represents one of a computer and a collection of computers. 

20. (Original) The data processing system of claim 15, wherein the source attribute 
represents one of a computer and a collection of computers. 

2 1 . (Original) The data processing system of claim 1 5, wherein the processing unit 
executes the set of instructions to perform the act of: 

aggregating a subset of the groups into a combined group. 
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